Paypal are idiots

The email rings all alarm bells for being a phishing attempt. If I didn’t have relatively safe command-line tools to evaluate it, I wouldn’t have touched it.

In an era where all personal data is on the line, when anti-fraud companies are warning everyone to be very careful about trusting email, and especially to avoid clicking links, it’s stupid for a major company to encourage you to take risks.

If I knew who to report this to, I would. But it isn’t phishing, it only masquerades as being phishing.

The email is in html. One of the certain signs of spam is if you mouse over a link in email, and the mouseover text is different from the link. This one is.

So if you click on the link, you don’t go to where the text says. Instead, it takes you to a redirector at email1.paypal.com. Had the redirector been anywhere else, I’d have known beyond any reasonable doubt that the mail was phishing. But for it to be within the paypal.com domain, a phisher would have had to take control of a paypal server, or find a vulnerability in one. Neither of which is out of the question, and it could be done to make the mail look more legitimate, but another option is that the sender is an idiot, so I decided to keep looking.

The redirector at email1.paypal.com redirects to somewhere else, outside of the paypal.com domain. So now it looks like a spammer did take control of a paypal server to make the redirection look more legitimate.

The site that it redirects to is link.p0.com. If p0.com is a legitimate business, it keeps a very low profile. There’s nothing at the root of the website. There’s nothing useful in its whois entry. But googling p0.com comes up with several other businesses that seem to be sending email traffic through p0.com. Maybe it’s a high-volume web/email service, like akamai.com. But if it is, why doesn’t it at least publicize that fact, so that it doesn’t scare customers away? (One forum entry I found was a post by someone who refused to respond to email from p0.com without knowing what it was.)

But then, following the redirection chain further did bring me back to PayPal; to the same place as the text version of the links.

Also: the mail was sent to my primary PayPal email address. That’s one I don’t use anywhere. I don’t get spam on it. I’ve never seen spam there, while I get lots of PayPal phishing mail at my other addresses.

So, either:

– This is an incredibly sophisticated phishing email that involves a compromised server at paypal.com and a redirector at (what appears to be) a large business site that sends you back to PayPal rather than to the phisher’s site for some unknown purpose, since it didn’t get to steal passwords and account info on the way, or

– This is a legitimate mail that looks exactly like phishing email from a company that’s a prime target of phishing, which redirects through a shrouded external business for no apparent reason.

I guess there could be a third option. Maybe this is PayPal sending out apparent phishing email to collect statistics on who is gullible enough to click through links they should clearly avoid. Looked at that way, maybe it isn’t so stupid after all. Something tells me this isn’t the right answer, though.

This entry was written by iain, posted on August 27, 2009 at 12:31 pm, and filed under For Nerds Only.